Iaea NS-R-1
Iaea NS-R-1
Iaea NS-R-1
IAEA
SAFETY
STANDARDS
SERIES
Safety of Nuclear
Power Plants:
Design
REQUIREMENTS
No. NS-R-1
INTERNATIONAL
ATOMIC ENERGY AGENCY
VIENNA
SAFETY OF
NUCLEAR POWER PLANTS:
DESIGN
The following States are Members of the International Atomic Energy Agency:
AFGHANISTAN
ALBANIA
ALGERIA
ANGOLA
ARGENTINA
ARMENIA
AUSTRALIA
AUSTRIA
BANGLADESH
BELARUS
BELGIUM
BENIN
BOLIVIA
BOSNIA AND HERZEGOVINA
BRAZIL
BULGARIA
BURKINA FASO
CAMBODIA
CAMEROON
CANADA
CHILE
CHINA
COLOMBIA
COSTA RICA
COTE DIVOIRE
CROATIA
CUBA
CYPRUS
CZECH REPUBLIC
DEMOCRATIC REPUBLIC
OF THE CONGO
DENMARK
DOMINICAN REPUBLIC
ECUADOR
EGYPT
EL SALVADOR
ESTONIA
ETHIOPIA
FINLAND
FRANCE
GABON
GEORGIA
GERMANY
GHANA
GREECE
GUATEMALA
HAITI
HOLY SEE
HUNGARY
ICELAND
INDIA
INDONESIA
IRAN, ISLAMIC REPUBLIC OF
IRAQ
IRELAND
ISRAEL
ITALY
JAMAICA
JAPAN
JORDAN
KAZAKHSTAN
KENYA
KOREA, REPUBLIC OF
KUWAIT
LATVIA
LEBANON
LIBERIA
LIBYAN ARAB JAMAHIRIYA
LIECHTENSTEIN
LITHUANIA
LUXEMBOURG
MADAGASCAR
MALAYSIA
MALI
MALTA
MARSHALL ISLANDS
MAURITIUS
MEXICO
MONACO
MONGOLIA
MOROCCO
MYANMAR
NAMIBIA
NETHERLANDS
NEW ZEALAND
NICARAGUA
NIGER
NIGERIA
NORWAY
PAKISTAN
PANAMA
PARAGUAY
PERU
PHILIPPINES
POLAND
PORTUGAL
QATAR
REPUBLIC OF MOLDOVA
ROMANIA
RUSSIAN FEDERATION
SAUDI ARABIA
SENEGAL
SIERRA LEONE
SINGAPORE
SLOVAKIA
SLOVENIA
SOUTH AFRICA
SPAIN
SRI LANKA
SUDAN
SWEDEN
SWITZERLAND
SYRIAN ARAB REPUBLIC
THAILAND
THE FORMER YUGOSLAV
REPUBLIC OF MACEDONIA
TUNISIA
TURKEY
UGANDA
UKRAINE
UNITED ARAB EMIRATES
UNITED KINGDOM OF
GREAT BRITAIN AND
NORTHERN IRELAND
UNITED REPUBLIC
OF TANZANIA
UNITED STATES OF AMERICA
URUGUAY
UZBEKISTAN
VENEZUELA
VIET NAM
YEMEN
YUGOSLAVIA
ZAMBIA
ZIMBABWE
The Agencys Statute was approved on 23 October 1956 by the Conference on the Statute of the
IAEA held at United Nations Headquarters, New York; it entered into force on 29 July 1957. The
Headquarters of the Agency are situated in Vienna. Its principal objective is to accelerate and enlarge the
contribution of atomic energy to peace, health and prosperity throughout the world.
IAEA, 2000
Permission to reproduce or translate the information contained in this publication may be
obtained by writing to the International Atomic Energy Agency, Wagramer Strasse 5, P.O. Box 100,
A-1400 Vienna, Austria.
Printed by the IAEA in Austria
September 2000
STI/PUB/1099
SAFETY OF
NUCLEAR POWER PLANTS:
DESIGN
SAFETY REQUIREMENTS
0000251
FOREWORD
by Mohamed ElBaradei
Director General
One of the statutory functions of the IAEA is to establish or adopt standards of
safety for the protection of health, life and property in the development and
application of nuclear energy for peaceful purposes, and to provide for the application
of these standards to its own operations as well as to assisted operations and, at the
request of the parties, to operations under any bilateral or multilateral arrangement,
or, at the request of a State, to any of that States activities in the field of nuclear
energy.
The following advisory bodies oversee the development of safety standards: the
Advisory Commission for Safety Standards (ACSS); the Nuclear Safety Standards
Advisory Committee (NUSSAC); the Radiation Safety Standards Advisory
Committee (RASSAC); the Transport Safety Standards Advisory Committee
(TRANSSAC); and the Waste Safety Standards Advisory Committee (WASSAC).
Member States are widely represented on these committees.
In order to ensure the broadest international consensus, safety standards are
also submitted to all Member States for comment before approval by the IAEA Board
of Governors (for Safety Fundamentals and Safety Requirements) or, on behalf of the
Director General, by the Publications Committee (for Safety Guides).
The IAEAs safety standards are not legally binding on Member States but may
be adopted by them, at their own discretion, for use in national regulations in respect
of their own activities. The standards are binding on the IAEA in relation to its own
operations and on States in relation to operations assisted by the IAEA. Any State
wishing to enter into an agreement with the IAEA for its assistance in connection
with the siting, design, construction, commissioning, operation or decommissioning
of a nuclear facility or any other activities will be required to follow those parts of the
safety standards that pertain to the activities to be covered by the agreement.
However, it should be recalled that the final decisions and legal responsibilities in any
licensing procedures rest with the States.
Although the safety standards establish an essential basis for safety, the
incorporation of more detailed requirements, in accordance with national practice,
may also be necessary. Moreover, there will generally be special aspects that need to
be assessed by experts on a case by case basis.
The physical protection of fissile and radioactive materials and of nuclear
power plants as a whole is mentioned where appropriate but is not treated in detail;
obligations of States in this respect should be addressed on the basis of the relevant
instruments and publications developed under the auspices of the IAEA.
EDITORIAL NOTE
An appendix, when included, is considered to form an integral part of the standard and
to have the same status as the main text. Annexes, footnotes and bibliographies, if included, are
used to provide additional information or practical examples that might be helpful to the user.
The safety standards use the form shall in making statements about requirements,
responsibilities and obligations. Use of the form should denotes recommendations of a
desired option.
CONTENTS
1.
2.
3.
4.
5.
INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Background (1.1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Objective (1.21.4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Scope (1.51.7) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Structure (1.8) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1
1
2
2
3
5
7
7
8
8
9
9
9
10
10
11
11
12
12
12
13
19
21
22
Ageing (5.47) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Human factors (5.485.56) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Other design considerations (5.575.68) . . . . . . . . . . . . . . . . . . . . . . . . .
Safety analysis (5.695.73) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
22
23
24
26
28
28
31
35
39
43
43
43
44
46
49
53
REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
57
59
6.
GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CONTRIBUTORS TO DRAFTING AND REVIEW . . . . . . . . . . . . . . . . . . . .
ADVISORY BODIES FOR THE ENDORSEMENT OF SAFETY
STANDARDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
61
65
67
1. INTRODUCTION
BACKGROUND
1.1. The present publication supersedes the Code on the Safety of Nuclear Power
Plants: Design (Safety Series No. 50-C-D (Rev. 1), issued in 1988). It takes account
of developments relating to the safety of nuclear power plants since the Code on
Design was last revised. These developments include the issuing of the Safety
Fundamentals publication, The Safety of Nuclear Installations [1], and the present
revision of various safety standards and other publications relating to safety.
Requirements for nuclear safety are intended to ensure adequate protection of site
personnel, the public and the environment from the effects of ionizing radiation arising
from nuclear power plants. It is recognized that technology and scientific knowledge
advance, and nuclear safety and what is considered adequate protection are not static
entities. Safety requirements change with these developments and this publication
reflects the present consensus.
OBJECTIVE
1.2. This Safety Requirements publication takes account of the developments in
safety requirements by, for example, including the consideration of severe accidents
in the design process. Other topics that have been given more detailed attention
include management of safety, design management, plant ageing and wearing out
effects, computer based safety systems, external and internal hazards, human factors,
feedback of operational experience, and safety assessment and verification.
1.3. This publication establishes safety requirements that define the elements
necessary to ensure nuclear safety. These requirements are applicable to safety functions
and the associated structures, systems and components, as well as to procedures
important to safety in nuclear power plants. It is expected that this publication will be
used primarily for land based stationary nuclear power plants with water cooled reactors
designed for electricity generation or for other heat production applications (such as
district heating or desalination). It is recognized that in the case of other reactor types,
including innovative developments in future systems, some of the requirements may
not be applicable, or may need some judgement in their interpretation. Various Safety
Guides will provide guidance in the interpretation and implementation of these
requirements.
SCOPE
1.5. This publication establishes design requirements for structures, systems and
components important to safety that must be met for safe operation of a nuclear power
plant, and for preventing or mitigating the consequences of events that could jeopardize safety. It also establishes requirements for a comprehensive safety assessment,
which is carried out in order to identify the potential hazards that may arise from the
operation of the plant, under the various plant states (operational states and accident
conditions). The safety assessment process includes the complementary techniques of
deterministic safety analysis and probabilistic safety analysis. These analyses necessitate consideration of postulated initiating events (PIEs), which include many factors
that, singly or in combination, may affect safety and which may:
originate in the operation of the nuclear power plant itself;
be caused by human action;
be directly related to the nuclear power plant and its environment.
1.6. This publication also addresses events that are very unlikely to occur, such as
severe accidents that may result in major radioactive releases, and for which it may
be appropriate and practicable to provide preventive or mitigatory features in the
design.
1.7. This publication does not address:
external natural or human induced events that are extremely unlikely (such as
the impact of a meteorite or an artificial satellite);
conventional industrial accidents that under no circumstances could affect the
safety of the nuclear power plant; or
non-radiological effects arising from the operation of nuclear power plants,
which may be subject to separate national regulatory requirements.
STRUCTURE
1.8. This Safety Requirements publication follows the relationship between principles
and objectives for safety, and safety requirements and criteria. Section 2 elaborates on
the safety principles, objectives and concepts which form the basis for deriving the
safety requirements that must be met in the design of the plant. The safety objectives
(in italics in Section 2) are reproduced from the Safety Fundamentals publication, The
Safety of Nuclear Installations [1]. Section 3 covers the principal requirements to be
applied by the design organization in the management of the design process, and also
requirements for safety assessment, for quality assurance and for the use of proven
engineering practices and operational experience. Section 4 provides the principal
and more general technical requirements for defence in depth and radiation protection. Section 5 provides general plant design requirements which supplement the
principal requirements to ensure that the safety objectives are met. Section 6 provides
design requirements applicable to specific plant systems, such as the reactor core,
coolant systems and containment systems. Appendix I elaborates on the definition
and application of the concept of a postulated initiating event. Appendix II discusses
the application of redundancy, diversity and independence as measures to enhance
reliability and to protect against common cause failures. The Annex elaborates on
safety functions for reactors.
SAFETY OBJECTIVES
2.1. The Safety Fundamentals publication, The Safety of Nuclear Installations [1],
presents three fundamental safety objectives, upon the basis of which the requirements
for minimizing the risks associated with nuclear power plants are derived. The following paras 2.22.6 are reproduced directly from The Safety of Nuclear Installations,
paras 203207.
2.2. General Nuclear Safety Objective: To protect individuals, society and the
environment from harm by establishing and maintaining in nuclear installations
effective defences against radiological hazards.
2.3. This General Nuclear Safety Objective is supported by two complementary
Safety Objectives dealing with radiation protection and technical aspects. They are
interdependent: the technical aspects in conjunction with administrative and procedural measures ensure defence against hazards due to ionizing radiation.
2.4. Radiation Protection Objective: To ensure that in all operational states
radiation exposure within the installation or due to any planned release of radioactive
material from the installation is kept below prescribed limits and as low as
releases are of very low probability (likelihood) of occurrence, and plant states with
significant probability (likelihood) of occurrence have only minor or no potential
radiological consequences. An essential objective is that the need for external intervention measures may be limited or even eliminated in technical terms, although such
measures may still be required by national authorities.
The aim of the first level of defence is to prevent deviations from normal
operation, and to prevent system failures. This leads to the requirement that
the plant be soundly and conservatively designed, constructed, maintained
and operated in accordance with appropriate quality levels and engineering
practices, such as the application of redundancy, independence and diversity.
To meet this objective, careful attention is paid to the selection of appropriate
design codes and materials, and to the control of fabrication of components
and of plant construction. Design options that can contribute to reducing the
potential for internal hazards (e.g. controlling the response to a PIE), to
reducing the consequences of a given PIE, or to reducing the likely release
source term following an accident sequence contribute at this level of
defence. Attention is also paid to the procedures involved in the design, fabrication, construction and in-service plant inspection, maintenance and testing, to the ease of access for these activities, to the way the plant is operated
and to how operational experience is utilized. This whole process is supported by a detailed analysis which determines the operational and maintenance
requirements for the plant.
(2)
(3)
(4)
(5)
The aim of the second level of defence is to detect and intercept deviations
from normal operational states in order to prevent anticipated operational
occurrences from escalating to accident conditions. This is in recognition of
the fact that some PIEs are likely to occur over the service lifetime of a nuclear
power plant, despite the care taken to prevent them. This level necessitates the
provision of specific systems as determined in the safety analysis and the definition of operating procedures to prevent or minimize damage from such
PIEs.
For the third level of defence, it is assumed that, although very unlikely, the
escalation of certain anticipated operational occurrences or PIEs may not be
arrested by a preceding level and a more serious event may develop. These
unlikely events are anticipated in the design basis for the plant, and inherent
safety features, fail-safe design, additional equipment and procedures are provided to control their consequences and to achieve stable and acceptable plant
states following such events. This leads to the requirement that engineered safety features be provided that are capable of leading the plant first to a controlled
state, and subsequently to a safe shutdown state, and maintaining at least one
barrier for the confinement of radioactive material.
The aim of the fourth level of defence is to address severe accidents in which
the design basis may be exceeded and to ensure that radioactive releases are
kept as low as practicable. The most important objective of this level is the protection of the confinement function. This may be achieved by complementary
measures and procedures to prevent accident progression, and by mitigation of
the consequences of selected severe accidents, in addition to accident management procedures. The protection provided by the confinement may be demonstrated using best estimate methods.
The fifth and final level of defence is aimed at mitigation of the radiological
consequences of potential releases of radioactive materials that may result from
accident conditions. This requires the provision of an adequately equipped
emergency control centre, and plans for the on-site and off-site emergency
response.
(4)
(5)
(6)
MANAGEMENT OF DESIGN
3.2. The design management for a nuclear power plant shall ensure that the structures, systems and components important to safety have the appropriate characteristics,
specifications and material composition so that the safety functions can be performed
and the plant can operate safely with the necessary reliability for the full duration of
its design life, with accident prevention and protection of site personnel, the public
and the environment as prime objectives.
3.3. The design management shall ensure that the requirements of the operating
organization are met and that due account is taken of the human capabilities and
limitations of personnel. The design organization shall supply adequate safety design
information to ensure safe operation and maintenance of the plant and to allow
subsequent plant modifications to be made, and recommended practices for
incorporation into the plant administrative and operational procedures (i.e. operational limits and conditions).
3.4. The design management shall take account of the results of the deterministic
and complementary probabilistic safety analyses, so that an iterative process takes
place by means of which it shall be ensured that due consideration has been given to
the prevention of accidents and mitigation of their consequences.
3.5. The design management shall ensure that the generation of radioactive waste is
kept to the minimum practicable, in terms of both activity and volume, by appropriate
design measures and operational and decommissioning practices.
SAFETY ASSESSMENT
3.10. A comprehensive safety assessment shall be carried out to confirm that the
design as delivered for fabrication, as for construction and as built meets the safety
requirements set out at the beginning of the design process.
3.11. The safety assessment shall be part of the design process, with iteration
between the design and confirmatory analytical activities, and increasing in the scope
and level of detail as the design programme progresses.
3.12. The basis for the safety assessment shall be data derived from the safety analysis,
previous operational experience, results of supporting research and proven engineering
practice.
QUALITY ASSURANCE1
3.14. A quality assurance programme that describes the overall arrangements for the
management, performance and assessment of the plant design shall be prepared and
implemented. This programme shall be supported by more detailed plans for each
structure, system and component so that the quality of the design is ensured at all
times.
3.15. Design, including subsequent changes or safety improvements, shall be carried
out in accordance with established procedures that call on appropriate engineering
codes and standards, and shall incorporate applicable requirements and design bases.
Design interfaces shall be identified and controlled.
3.16. The adequacy of design, including design tools and design inputs and outputs,
shall be verified or validated by individuals or groups separate from those who originally performed the work. Verification, validation and approval shall be completed
before implementation of the detailed design.
1
(3)
(4)
(5)
(6)
shall provide multiple physical barriers to the uncontrolled release of radioactive materials to the environment;
shall be conservative, and the construction shall be of high quality, so as to provide confidence that plant failures and deviations from normal operations are
minimized and accidents prevented;
shall provide for control of the plant behaviour during and following a PIE,
using inherent and engineered features, i.e. uncontrolled transients shall be
minimized or excluded by design to the extent possible;
shall provide for supplementing control of the plant, by the use of automatic
activation of safety systems in order to minimize operator actions in the early
phase of PIEs and by operator actions;
shall provide for equipment and procedures to control the course and limit the
consequences of accidents as far as practicable;
shall provide multiple means for ensuring that each of the fundamental safety
functions, i.e. control of the reactivity, heat removal and the confinement of
radioactive materials, is performed, thereby ensuring the effectiveness of the
barriers and mitigating the consequences of any PIEs.
4.2. To ensure that the overall safety concept of defence in depth is maintained, the
design shall be such as to prevent as far as practicable:
(1)
(2)
(3)
4.3. The design shall be such that the first, or at most the second, level of defence is
capable of preventing escalation to accident conditions for all but the most improbable PIEs.
4.4. The design shall take into account the fact that the existence of multiple levels of
defence is not a sufficient basis for continued power operation in the absence of one level
of defence. All levels of defence shall be available at all times, although some relaxations
may be specified for the various operational modes other than power operation.
10
SAFETY FUNCTIONS
4.5. The objective of the safety approach shall be: to provide adequate means to
maintain the plant in a normal operational state; to ensure the proper short term
response immediately following a PIE; and to facilitate the management of the plant
in and following any design basis accident, and in those selected accident conditions
beyond the design basis accidents.
4.6. To ensure safety, the following fundamental safety functions shall be performed
in operational states, in and following a design basis accident and, to the extent practicable, on the occurrence of those selected accident conditions that are beyond the
design basis accidents:
(1)
(2)
(3)
(3)
(4)
11
12
classified on the basis of their function and significance with regard to safety. They
shall be designed, constructed and maintained such that their quality and reliability is
commensurate with this classification.
5.2. The method for classifying the safety significance of a structure, system or
component shall primarily be based on deterministic methods, complemented where
appropriate by probabilistic methods and engineering judgement, with account taken
of factors such as:
(1)
(2)
(3)
(4)
5.3. Appropriately designed interfaces shall be provided between structures, systems and components of different classes to ensure that any failure in a system
classified in a lower class will not propagate to a system classified in a higher
class.
13
Internal events
5.9. An analysis of the PIEs (see Appendix I) shall be made to establish all those
internal events which may affect the safety of the plant. These events may include
equipment failures or maloperation.
Fires and explosions
5.10. Structures, systems and components important to safety shall be designed and
located so as to minimize, consistent with other safety requirements, the probabilities
and effects of fires and explosions caused by external or internal events. The capability
for shutdown, residual heat removal, confinement of radioactive material and
monitoring of the state of the plant shall be maintained. These requirements shall be
met by suitable incorporation of redundant parts, diverse systems, physical separation
and design for fail-safe operation such that the following objectives are achieved:
(1)
(2)
14
(3)
to prevent the spread of those fires which have not been extinguished, thus
minimizing their effects on essential plant functions.
5.11. A fire hazard analysis of the plant shall be carried out to determine the necessary
rating of the fire barriers, and fire detection and fire fighting systems of the necessary
capability shall be provided.
5.12. Fire fighting systems shall be automatically initiated where necessary, and
systems shall be designed and located so as to ensure that their rupture or spurious or
inadvertent operation does not significantly impair the capability of structures,
systems and components important to safety, and does not simultaneously affect
redundant safety groups, thereby rendering ineffective the measures taken to comply
with the single failure criterion.
5.13. Non-combustible or fire retardant and heat resistant materials shall be used
wherever practicable throughout the plant, particularly in locations such as the
containment and the control room.
Other internal hazards
5.14. The potential for internal hazards such as flooding, missile generation, pipe
whip, jet impact, or release of fluid from failed systems or from other installations on
the site shall be taken into account in the design of the plant. Appropriate preventive
and mitigatory measures shall be provided to ensure that nuclear safety is not
compromised. Some external events may initiate internal fires or floods and may lead
to the generation of missiles. Such interaction of external and internal events shall
also be considered in the design, where appropriate.
5.15. If two fluid systems that are operating at different pressures are interconnected,
either the systems shall both be designed to withstand the higher pressure, or provision shall be made to preclude the design pressure of the system operating at the
lower pressure from being exceeded, on the assumption that a single failure occurs.
External events
5.16. The design basis natural and human induced external events shall be determined for the proposed combination of site and plant. All those events with which significant radiological risk may be associated shall be considered. A combination of
deterministic and probabilistic methods shall be used to select a subset of external
events which the plant is designed to withstand, and from which the design bases are
determined.
15
5.17. Natural external events which shall be considered include those which have
been identified in site characterization, such as earthquakes, floods, high winds,
tornadoes, tsunami (tidal waves) and extreme meteorological conditions. Human
induced external events that shall be considered include those that have been identified in site characterization and for which design bases have been derived. The list
of these events shall be reassessed for completeness at an early stage of the design
process.
Site related characteristics2
5.18. In determining the design basis of a nuclear power plant, various interactions
between the plant and the environment, including such factors as population, meteorology, hydrology, geology and seismology, shall be taken into account. The availability of off-site services upon which the safety of the plant and protection of the
public may depend, such as the electricity supply and fire fighting services, shall also
be taken into account.
5.19. Projects for nuclear power plants to be sited in tropical, polar, arid or volcanic
areas shall be assessed with a view to identifying special design features which may
be necessary as a result of the characteristics of the site.
Combinations of events
5.20. Where combinations of randomly occurring individual events could credibly
lead to anticipated operational occurrences or accident conditions, they shall be
considered in the design. Certain events may be the consequences of other events,
such as a flood following an earthquake. Such consequential effects shall be considered
to be part of the original PIE.
Design rules
5.21. The engineering design rules for structures, systems and components shall be
specified and shall comply with the appropriate accepted national standard engineering
practices (see para. 3.6), or those standards or practices already used internationally
or established in another country and whose use is applicable and also accepted by
the national regulatory body.
16
5.22. The seismic design of the plant shall provide for a sufficient safety margin to
protect against seismic events.
Design limits
5.23. A set of design limits consistent with the key physical parameters for each
structure, system or component shall be specified for operational states and design
basis accidents.
Operational states
5.24. The plant shall be designed to operate safely within a defined range of parameters (for example, of pressure, temperature, power), and a minimum set of specified support features for safety systems (for example, auxiliary feedwater capacity
and an emergency electrical power supply) shall be assumed to be available. The
design shall be such that the response of the plant to a wide range of anticipated
operational occurrences will allow safe operation or shutdown, if necessary, without
the necessity of invoking provisions beyond the first, or at the most the second, level
of defence in depth.
5.25. The potential for accidents to occur in low power and shutdown states, such as
startup, refuelling and maintenance, when the availability of safety systems may be
reduced, shall be addressed in the design, and appropriate limitations on the unavailability of safety systems shall be specified.
5.26. The design process shall establish a set of requirements and limitations for safe
operation, including:
(1)
(2)
(3)
(4)
These requirements and limitations shall be a basis for the establishment of operational limits and conditions under which the operating organization will be authorized
to operate the plant.
17
18
Important event sequences that may lead to a severe accident shall be identified
using a combination of probabilistic methods, deterministic methods and sound
engineering judgement.
(2)
(3)
(4)
(5)
(6)
These event sequences shall then be reviewed against a set of criteria aimed at
determining which severe accidents shall be addressed in the design.
Potential design changes or procedural changes that could either reduce the
likelihood of these selected events, or mitigate their consequences should these
selected events occur, shall be evaluated and shall be implemented if reasonably
practicable.
Consideration shall be given to the plants full design capabilities, including the
possible use of some systems (i.e. safety and non-safety systems) beyond their
originally intended function and anticipated operational states, and the use of
additional temporary systems, to return the plant to a controlled state and/or to
mitigate the consequences of a severe accident, provided that it can be shown that
the systems are able to function in the environmental conditions to be expected.
For multiunit plants, consideration shall be given to the use of available means
and/or support from other units, provided that the safe operation of the other
units is not compromised.
Accident management procedures shall be established, taking into account
representative and dominant severe accident scenarios.
19
possible failures have been analysed. The analyses of each pertinent safety group shall
then be conducted in turn until all safety groups and all failures have been considered. (In this Safety Requirements publication, safety functions, or systems contributing to performing those safety functions, for which redundancy is necessary to
achieve the necessary reliability have been identified by the statement on the
assumption of a single failure.) The assumption of a single failure in that system is
part of the process described. At no point in the single failure analysis is more than
one random failure assumed to occur.
5.36. Spurious action shall be considered as one mode of failure when applying the
concept to a safety group or system.
5.37. Compliance with the criterion shall be considered to have been achieved when
each safety group has been shown to perform its safety function when the above
analyses are applied, under the following conditions:
(1)
(2)
any potentially harmful consequences of the PIE for the safety group are
assumed to occur; and
the worst permissible configuration of safety systems performing the necessary
safety function is assumed, with account taken of maintenance, testing, inspection and repair, and allowable equipment outage times.
5.38. Non-compliance with the single failure criterion shall be exceptional, and shall
be clearly justified in the safety analysis.
5.39. In the single failure analysis, it may not be necessary to assume the failure of a
passive component designed, manufactured, inspected and maintained in service to an
extremely high quality, provided that it remains unaffected by the PIE. However,
when it is assumed that a passive component does not fail, such an analytical
approach shall be justified, with account taken of the loads and environmental conditions, as well as the total period of time after the initiating event for which functioning
of the component is necessary.
Fail-safe design
5.40. The principle of fail-safe design shall be considered and incorporated into the
design of systems and components important to safety for the plant as appropriate: if
a system or component fails, plant systems shall be designed to pass into a safe state
with no necessity for any action to be initiated.
20
Auxiliary services
5.41. Auxiliary services that support equipment forming part of a system important
to safety shall be considered part of that system and shall be classified accordingly.
Their reliability, redundancy, diversity and independence and the provision of features
for isolation and for testing of functional capability shall be commensurate with the
reliability of the system that is supported. Auxiliary services necessary to maintain the
plant in a safe state may include the supply of electricity, cooling water and compressed air or other gases, and means of lubrication.
Equipment outages
5.42. The design shall be such as to ensure, by the application of measures such as
increased redundancy, that reasonable on-line maintenance and testing of systems
important to safety can be conducted without the necessity to shut down the plant.
Equipment outages, including unavailability of systems or components due to failure,
shall be taken into account, and the impact of the anticipated maintenance, test and
repair work on the reliability of each individual safety system shall be included in this
consideration in order to ensure that the safety function can still be achieved with the
necessary reliability. The time allowed for equipment outages and the actions to be
taken shall be analysed and defined for each case before the start of plant operation
and included in the plant operating instructions.
21
EQUIPMENT QUALIFICATION
5.45. A qualification procedure shall be adopted to confirm that the items important
to safety are capable of meeting, throughout their design operational lives, the
demands for performing their functions while being subject to the environmental conditions (of vibration, temperature, pressure, jet impingement, electromagnetic interference, irradiation, humidity or any likely combination thereof) prevailing at the time
of need. The environmental conditions to be considered shall include the variations
expected in normal operation, anticipated operational occurrences and design basis
accidents. In the qualification programme, consideration shall be given to ageing
effects caused by various environmental factors (such as vibration, irradiation and
extreme temperature) over the expected lifetime of the equipment. Where the equipment is subject to external natural events and is needed to perform a safety function
in or following such an event, the qualification programme shall replicate as far as
practicable the conditions imposed on the equipment by the natural phenomenon,
either by test or by analysis or by a combination of both.
5.46. In addition, any unusual environmental conditions that can reasonably be anticipated and could arise from specific operational states, such as in periodic testing of
the containment leak rate, shall be included in the qualification programme. To the
extent possible, equipment (such as certain instrumentation) that must operate in a
severe accident should be shown, with reasonable confidence, to be capable of
achieving the design intent.
AGEING
5.47. Appropriate margins shall be provided in the design for all structures, systems
and components important to safety so as to take into account relevant ageing and
wear-out mechanisms and potential age related degradation, in order to ensure the
capability of the structure, system or component to perform the necessary safety function throughout its design life. Ageing and wear-out effects in all normal operating
conditions, testing, maintenance, maintenance outages, and plant states in a PIE and
post-PIE shall also be taken into account. Provision shall also be made for
22
HUMAN FACTORS
Design for optimal operator performance
5.48. The design shall be operator friendly and shall be aimed at limiting the effects
of human errors. Attention shall be paid to plant layout and procedures (administrative,
operational and emergency), including maintenance and inspection, in order to facilitate the interface between the operating personnel and the plant.
5.49. The working areas and working environment of the site personnel shall be
designed according to ergonomic principles.
5.50. Systematic consideration of human factors and the humanmachine interface
shall be included in the design process at an early stage and shall continue throughout
the entire process, to ensure an appropriate and clear distinction of functions between
operating personnel and the automatic systems provided.
5.51. The humanmachine interface shall be designed to provide the operators with comprehensive but easily manageable information, compatible with the necessary decision
and action times. Similar provisions shall be made for the supplementary control room.
5.52. Verification and validation of aspects of human factors shall be included at
appropriate stages to confirm that the design adequately accommodates all necessary
operator actions.
5.53. To assist in the establishment of design criteria for information display and
controls, the operator shall be considered to have dual roles: that of a systems
manager, including accident management, and that of an equipment operator.
5.54. In the systems manager role, the operator shall be provided with information
that permits the following:
(1)
the ready assessment of the general state of the plant in whichever condition it
is, whether in normal operation, in an anticipated operational occurrence or in
an accident condition, and confirmation that the designed automatic safety
actions are being carried out; and
23
(2)
5.55. As equipment operator, the operator shall be provided with sufficient information on parameters associated with individual plant systems and equipment to confirm
that the necessary safety actions can be initiated safely.
5.56. The design shall be aimed at promoting the success of operator actions with due
regard for the time available for action, the physical environment to be expected and
the psychological demands to be made on the operator. The need for intervention by
the operator on a short time-scale shall be kept to a minimum. It shall be taken into
account in the design that the necessity for such intervention is only acceptable provided that the designer can demonstrate that the operator has sufficient time to make a
decision and to act; that the information necessary for the operator to make the decision to act is simply and unambiguously presented; and that following an event the
physical environment in the control room or in the supplementary control room and on
the access route to that supplementary control room is acceptable.
24
radioactive materials from the nuclear plant to the desalination or district heating unit
under any condition of normal operation, anticipated operational occurrences, design
basis accidents and selected severe accidents.
25
maintenance, testing or inspection purposes, it shall be ensured in the design that the
necessary activities can be performed without significantly reducing the reliability of
safety related equipment.
Interactions of systems
5.66. If there is a significant probability that it will be necessary for systems important to safety to operate simultaneously, their possible interaction shall be evaluated.
In the analysis, account shall be taken not only of physical interconnections, but also
of the possible effects of one systems operation, maloperation or failure on the
physical environment of other essential systems, in order to ensure that changes in
the environment do not affect the reliability of system components in functioning as
intended.
Interactions between the electrical power grid and the plant
5.67. In the design of the plant, account shall be taken of power gridplant interactions, including the independence of and number of power supply lines to the plant,
in relation to the necessary reliability of the power supply to plant systems important
to safety.
Decommissioning
5.68. At the design stage, special consideration shall be given to the incorporation of
features that will facilitate the decommissioning and dismantling of the plant. In
particular, account shall be taken in the design of:
(1)
(2)
(3)
the choice of materials, such that eventual quantities of radioactive waste are
minimized and decontamination is facilitated;
the access capabilities that may be necessary; and
the facilities necessary for storing radioactive waste generated in both operation
and decommissioning of the plant.
SAFETY ANALYSIS
5.69. A safety analysis of the plant design shall be conducted in which methods of
both deterministic and probabilistic analysis shall be applied. On the basis of this
analysis, the design basis for items important to safety shall be established and
confirmed. It shall also be demonstrated that the plant as designed is capable of meeting
any prescribed limits for radioactive releases and acceptable limits for potential
26
radiation doses for each category of plant states (see para. 5.7), and that defence in
depth has been effected.
5.70. The computer programs, analytical methods and plant models used in the safety
analysis shall be verified and validated, and adequate consideration shall be given to
uncertainties.
Deterministic approach
5.71. The deterministic safety analysis shall include the following:
(1)
(2)
(3)
(4)
(5)
(6)
confirmation that operational limits and conditions are in compliance with the
assumptions and intent of the design for normal operation of the plant;
characterization of the PIEs (see Appendix I) that are appropriate for the design
and site of the plant;
analysis and evaluation of event sequences that result from PIEs;
comparison of the results of the analysis with radiological acceptance criteria
and design limits;
establishment and confirmation of the design basis; and
demonstration that the management of anticipated operational occurrences and
design basis accidents is possible by automatic response of safety systems in
combination with prescribed actions of the operator.
5.72. The applicability of the analytical assumptions, methods and degree of conservatism used shall be verified. The safety analysis of the plant design shall be updated
with regard to significant changes in plant configuration, operational experience, and
advances in technical knowledge and understanding of physical phenomena, and shall
be consistent with the current or as built state.
Probabilistic approach
5.73. A probabilistic safety analysis of the plant shall be carried out in order:
(1)
(2)
(3)
to provide a systematic analysis to give confidence that the design will comply
with the general safety objectives;
to demonstrate that a balanced design has been achieved such that no particular
feature or PIE makes a disproportionately large or significantly uncertain
contribution to the overall risk, and that the first two levels of defence in depth
bear the primary burden of ensuring nuclear safety;
to provide confidence that small deviations in plant parameters that could give
rise to severely abnormal plant behaviour (cliff edge effects) will be prevented;
27
(4)
(5)
(6)
(7)
(8)
28
6.5. The reactor core and associated coolant, control and protection systems shall be
designed to enable adequate inspection and testing throughout the service lifetime of
the plant.
Fuel elements and assemblies
6.6. Fuel elements and assemblies shall be designed to withstand satisfactorily the
anticipated irradiation and environmental conditions in the reactor core in combination with all processes of deterioration that can occur in normal operation and in
anticipated operational occurrences.
6.7. The deterioration considered shall include that arising from: differential expansion and deformation; external pressure of the coolant; additional internal pressure
due to the fission products in the fuel element; irradiation of fuel and other materials
in the fuel assembly; changes in pressures and temperatures resulting from changes
in power demand; chemical effects; static and dynamic loading, including flow
induced vibrations and mechanical vibrations; and changes in heat transfer performance that may result from distortions or chemical effects. Allowance shall be made
for uncertainties in data, calculations and fabrication.
6.8. Specified fuel design limits, including permissible leakage of fission products,
shall not be exceeded in normal operation, and it shall be ensured that operational
states that may be imposed in anticipated operational occurrences cause no significant
further deterioration. Leakage of fission products shall be restricted by design limits
and kept to a minimum.
6.9. Fuel assemblies shall be designed to permit adequate inspection of their structure and component parts after irradiation. In design basis accidents, the fuel elements
shall remain in position and shall not suffer distortion to an extent that would render
post-accident core cooling insufficiently effective; and the specified limits for fuel
elements for design basis accidents shall not be exceeded.
6.10. The aforementioned requirements for reactor and fuel element design shall also
be maintained in the event of changes in fuel management strategy or in operational
states over the operational lifetime of the plant.
Control of the reactor core
6.11. The provisions of paras 6.36.10 shall be met for all levels and distributions
of neutron flux that can arise in all states of the core, including those after shutdown
and during or after refuelling, and those arising from anticipated operational
29
occurrences and design basis accidents. Adequate means of detecting these flux distributions shall be provided to ensure that there are no regions of the core in which
the provisions of paras 6.36.10 could be breached without being detected. The
design of the core shall sufficiently reduce the demands made on the control system
for maintaining flux shapes, levels and stability within specified limits in all operational states.
6.12. Provision shall be made for the removal of non-radioactive substances, including
corrosion products, which may compromise the safety of the system, for example by
clogging coolant channels.
Reactor shutdown
6.13. Means shall be provided to ensure that there is a capability to shut down the
reactor in operational states and design basis accidents, and that the shutdown condition can be maintained even for the most reactive core conditions. The effectiveness, speed of action and shutdown margin of the means of shutdown shall be such
that the specified limits are not exceeded. For the purpose of reactivity control and
flux shaping in normal power operation, a part of the means of shutdown may be
used provided that the shutdown capability is maintained with an adequate margin
at all times.
6.14. The means for shutting down the reactor shall consist of at least two different
systems to provide diversity.
6.15. At least one of the two systems shall be, on its own, capable of quickly rendering
the nuclear reactor subcritical by an adequate margin from operational states and in
design basis accidents, on the assumption of a single failure. Exceptionally, a transient
recriticality may be permitted provided that the specified fuel and component limits
are not exceeded.
6.16. At least one of these two systems shall be, on its own, capable of rendering the
reactor subcritical from normal operational states, in anticipated operational occurrences and in design basis accidents, and of maintaining the reactor subcritical by an
adequate margin and with high reliability, even for the most reactive conditions of the
core.
6.17. In judging the adequacy of the means of shutdown, consideration shall be given
to failures arising anywhere in the plant that could render part of the means of
shutdown inoperative (such as failure of a control rod to insert) or could result in a
common cause failure.
30
31
in a regime of high resistance to unstable fracture with fast crack propagation, to permit
timely detection of flaws (such as by application of the leak before break concept).
Designs and plant states in which components of the reactor coolant pressure boundary
could exhibit brittle behaviour shall be avoided.
6.25. The design shall reflect consideration of all conditions of the boundary material
in operational states, including those for maintenance and testing, and under design
basis accident conditions, with account taken of the expected end-of-life properties
affected by erosion, creep, fatigue, the chemical environment, the radiation environment and ageing, and any uncertainties in determining the initial state of the components and the rate of possible deterioration.
6.26. The design of the components contained inside the reactor coolant pressure
boundary, such as pump impellers and valve parts, shall be such as to minimize the
likelihood of failure and associated consequential damage to other items of the primary
coolant system important to safety in all operational states and in design basis accidents,
with due allowance made for deterioration that may occur in service.
In-service inspection of the reactor coolant pressure boundary
6.27. The components of the reactor coolant pressure boundary shall be designed,
manufactured and arranged in such a way that it is possible, throughout the service
lifetime of the plant, to carry out at appropriate intervals adequate inspections and
tests of the boundary. Provision shall be made to implement a material surveillance
programme for the reactor coolant pressure boundary, particularly in locations of high
irradiation, and for other important components as appropriate, in order to determine the metallurgical effects of factors such as irradiation, stress corrosion cracking, thermal embrittlement and ageing of structural materials.
6.28. It shall be ensured that it is possible to inspect or test either directly or indirectly
the components of the reactor coolant pressure boundary, according to the safety
importance of those components, so as to demonstrate the absence of unacceptable
defects or of safety significant deterioration.
6.29. Indicators for the integrity of the reactor coolant pressure boundary (such as
leakage) shall be monitored. The results of such measurements shall be taken into
consideration in the determination of which inspections are necessary for safety.
6.30. If the safety analysis of the nuclear power plant indicates that particular failures
in the secondary cooling system may result in serious consequences, it shall be
ensured that it is possible to inspect the relevant parts of the secondary cooling system.
32
(2)
the limiting parameters for the cladding or fuel integrity (such as temperature)
will not exceed the acceptable value for design basis accidents (for applicable
reactor designs);
possible chemical reactions are limited to an allowable level;
33
(3)
(4)
the alterations in the fuel and internal structural alterations will not significantly
reduce the effectiveness of the means of emergency core cooling; and
the cooling of the core will be ensured for a sufficient time.
34
CONTAINMENT SYSTEM
Design of the containment system
6.43. A containment system shall be provided in order to ensure that any release of
radioactive materials to the environment in a design basis accident would be below
prescribed limits. This system may include, depending on design requirements:
leaktight structures; associated systems for the control of pressures and temperatures; and features for the isolation, management and removal of fission products,
hydrogen, oxygen and other substances that could be released into the containment
atmosphere.
6.44. All identified design basis accidents shall be taken into account in the design of
the containment system. In addition, consideration shall be given to the provision of
features for the mitigation of the consequences of selected severe accidents in order
to limit the release of radioactive material to the environment.
Strength of the containment structure
6.45. The strength of the containment structure, including access openings and penetrations and isolation valves, shall be calculated with sufficient margins of safety
on the basis of the potential internal overpressures, underpressures and temperatures, dynamic effects such as missile impacts, and reaction forces anticipated to
arise as a result of design basis accidents. The effects of other potential energy
sources, including, for example, possible chemical and radiolytic reactions, shall
also be considered. In calculating the necessary strength of the containment structure, natural phenomena and human induced events shall be taken into consideration, and provision shall be made to monitor the condition of the containment and
its associated features.
6.46. Provision for maintaining the integrity of the containment in the event of a
severe accident shall be considered. In particular, the effects of any predicted
combustion of flammable gases shall be taken into account.
35
Containment penetrations
6.51. The number of penetrations through the containment shall be kept to a practical
minimum.
6.52. All penetrations through the containment shall meet the same design requirements as the containment structure itself. They shall be protected against reaction
forces stemming from pipe movement or accidental loads such as those due to missiles,
jet forces and pipe whip.
6.53. If resilient seals (such as elastomeric seals or electrical cable penetrations) or
expansion bellows are used with penetrations, they shall be designed to have the
capability for leak testing at the containment design pressure, independent of the
determination of the leak rate of the containment as a whole, to demonstrate their
continued integrity over the lifetime of the plant.
36
Containment isolation
6.55. Each line that penetrates the containment as part of the reactor coolant pressure
boundary or that is connected directly to the containment atmosphere shall be automatically and reliably sealable in the event of a design basis accident in which the
leaktightness of the containment is essential to preventing radioactive releases to the
environment that exceed prescribed limits. These lines shall be fitted with at least two
adequate containment isolation valves arranged in series (normally with one outside
and the other inside the containment, but other arrangements may be acceptable
depending on the design), and each valve shall be capable of being reliably and independently actuated. Isolation valves shall be located as close to the containment as is
practicable. Containment isolation shall be achievable on the assumption of a single
failure. If the application of this requirement reduces the reliability of a safety system
that penetrates the containment, other isolation methods may be used.
6.56. Each line that penetrates the primary reactor containment and is neither part
of the reactor coolant pressure boundary nor connected directly to the containment
atmosphere shall have at least one adequate containment isolation valve. This valve
shall be outside the containment and located as close to the containment as
practicable.
6.57. Adequate consideration shall be given to the capability of isolation devices to
maintain their function in the event of a severe accident.
37
to reduce the amount of fission products that might be released to the environment in design basis accidents; and
to control the concentration of hydrogen, oxygen and other substances in the
containment atmosphere in design basis accidents in order to prevent deflagration or detonation which could jeopardize the integrity of the containment.
6.65. Systems for cleaning up the containment atmosphere shall have suitable redundancy in components and features to ensure that the safety group can fulfil the
necessary safety function, on the assumption of a single failure.
6.66. Adequate consideration shall be given to the control of fission products, hydrogen
and other substances that may be generated or released in the event of a severe accident.
38
39
plant in a safe state or to bring it back into such a state after the onset of anticipated
operational occurrences, design basis accidents and severe accidents. Appropriate
measures shall be taken and adequate information provided to safeguard the occupants
of the control room against consequent hazards, such as undue radiation levels
resulting from an accident condition or the release of radioactive material or explosive
or toxic gases, which could hinder necessary actions by the operator.
6.72. Special attention shall be given to identifying those events, both internal and
external to the control room, which may pose a direct threat to its continued operation,
and the design shall provide for reasonably practicable measures to minimize the
effects of such events.
6.73. The layout of the instrumentation and the mode of presentation of information
shall provide the operating personnel with an adequate overall picture of the status
and performance of the plant. Ergonomic factors shall be taken into account in the
design of the control room.
6.74. Devices shall be provided to give in an efficient way visual and, if appropriate,
also audible indications of operational states and processes that have deviated from
normal and could affect safety.
Supplementary control room
6.75. Sufficient instrumentation and control equipment shall be available, preferably
at a single location (supplementary control room) that is physically and electrically
separate from the control room, so that the reactor can be placed and maintained in a
shut down state, residual heat can be removed, and the essential plant variables can
be monitored should there be a loss of ability to perform these essential safety
functions in the control room.
Use of computer based systems in systems important to safety
6.76. If the design is such that a system important to safety is dependent upon the
reliable performance of a computer based system, appropriate standards and practices
for the development and testing of computer hardware and software shall be established and implemented throughout the life-cycle of the system, and in particular the
software development cycle. The entire development shall be subject to an appropriate
quality assurance programme.
6.77. The level of reliability necessary shall be commensurate with the safety importance of the system. The necessary level of reliability shall be achieved by means of
40
a comprehensive strategy that uses various complementary means (including an effective regime of analysis and testing) at each phase of development of the process, and
a validation strategy to confirm that the design requirements for the system have been
fulfilled.
6.78. The level of reliability assumed in the safety analysis for a computer based
system shall include a specified conservatism to compensate for the inherent
complexity of the technology and the consequent difficulty of analysis.
Automatic control
6.79. Various safety actions shall be automated so that operator action is not necessary
within a justified period of time from the onset of anticipated operational occurrences
or design basis accidents. In addition, appropriate information shall be available to the
operator to monitor the effects of the automatic actions.
Functions of the protection system
6.80. The protection system shall be designed:
(1)
(2)
(3)
6.82. The protection system shall be designed to ensure that the effects of normal
operation, anticipated operational occurrences and design basis accidents on
41
redundant channels do not result in loss of its function; or else such a loss shall be
demonstrated to be acceptable on some other basis. Design techniques such as testability, including a self-checking capability where necessary, fail-safe behaviour, functional diversity and diversity in component design or principles of operation shall be
used to the extent practicable to prevent loss of a protection function.
6.83. The protection system shall, unless its adequate reliability is ensured by some
other means, be designed to permit periodic testing of its functioning when the reactor
is in operation, including the possibility of testing channels independently to determine
failures and losses of redundancy that may have occurred. The design shall permit all
aspects of functionality from the sensor to the input signal to the final actuator to be
tested in operation.
6.84. The design shall be such as to minimize the likelihood that operator action
could defeat the effectiveness of the protection system in normal operations and
expected operational occurrences, but not to negate correct operator actions in design
basis accidents.
Use of computer based systems in protection
6.85. Where a computer based system is intended to be used in a protection system,
the following requirements shall supplement those of paras 6.766.78:
(1)
(2)
(3)
(4)
the highest quality of and best practices for hardware and software shall be
used;
the whole development process, including control, testing and commissioning
of design changes, shall be systematically documented and reviewable;
in order to confirm confidence in the reliability of the computer based systems,
an assessment of the computer based system by expert personnel independent
of the designers and suppliers shall be undertaken; and
where the necessary integrity of the system cannot be demonstrated with a high
level of confidence, a diverse means of ensuring fulfilment of the protection
functions shall be provided.
42
43
(4)
44
(2)
(3)
(2)
(3)
(4)
(5)
(6)
(7)
(8)
(9)
(10)
(11)
(12)
(13)
(14)
6.98. For reactors using a water pool system for fuel storage, the design shall provide
the following:
(1)
(2)
(3)
means for controlling the chemistry and activity of any water in which
irradiated fuel is handled or stored;
means for monitoring and controlling the water level in the fuel storage pool
and for detecting leakage; and
means to prevent emptying of the pool in the event of a pipe break (that is, antisyphon measures).
45
RADIATION PROTECTION3
General requirements
6.99. Radiation protection is directed to preventing any avoidable radiation exposure
and to keeping any unavoidable exposures as low as reasonably achievable. This
objective shall be accomplished in the design by means of the following:
(1)
(2)
(3)
(4)
appropriate layout and shielding of structures, systems and components containing radioactive materials;
paying attention to the design of the plant and equipment so as to minimize the
number and duration of human activities undertaken in radiation fields and
reduce the likelihood of contamination of the site personnel;
making provision for the treatment of radioactive materials in an appropriate
form and condition, for either their disposal, their storage on the site or their
removal from the site; and
making arrangements to reduce the quantity and concentration of radioactive
materials produced and dispersed within the plant or released to the environment.
6.100. Full account shall be taken of the potential buildup of radiation levels with
time in areas of personnel occupancy and of the need to minimize the generation of
radioactive materials as wastes.
Design for radiation protection
6.101. Suitable provision shall be made in the design and layout of the plant to minimize exposure and contamination from all sources. Such provision shall include adequate design of structures, systems and components in terms of: minimizing exposure
during maintenance and inspection; shielding from direct and scattered radiation;
ventilation and filtration for control of airborne radioactive materials; limiting the
activation of corrosion products by proper specification of materials; means of monitoring; control of access to the plant; and suitable decontamination facilities.
6.102. The shielding design shall be such that radiation levels in operating areas do
not exceed the prescribed limits, and shall facilitate maintenance and inspection so as
to minimize exposure of maintenance personnel. The ALARA principle shall be
applied.
46
6.103. The plant layout and procedures shall provide for the control of access to
radiation areas and areas of potential contamination, and for minimizing contamination
from the movement of radioactive materials and personnel within the plant. The plant
layout shall provide for efficient operation, inspection, maintenance and replacement
as necessary to minimize radiation exposure.
6.104. Provision shall be made for appropriate decontamination facilities for both
personnel and equipment and for handling any radioactive waste arising from decontamination activities.
(2)
(3)
(4)
(5)
(6)
Stationary dose rate meters shall be provided for monitoring the local radiation
dose rate at places routinely occupied by operating personnel and where the
changes in radiation levels in normal operation or anticipated operational
occurrences may be such that access shall be limited for certain periods of time.
Furthermore, stationary dose rate meters shall be installed to indicate the general
radiation level at appropriate locations in the event of design basis accidents
and, as practicable, severe accidents. These instruments shall give sufficient
information in the control room or at the appropriate control position that plant
personnel can initiate corrective action if necessary.
Monitors shall be provided for measuring the activity of radioactive substances
in the atmosphere in those areas routinely occupied by personnel and where the
levels of activity of airborne radioactive materials may on occasion be expected
to be such as to necessitate protective measures. These systems shall give an
indication in the control room, or other appropriate locations, when a high
concentration of radionuclides is detected.
Stationary equipment and laboratory facilities shall be provided for determining in a timely manner the concentration of selected radionuclides in fluid
process systems as appropriate, and in gas and liquid samples taken from plant
systems or the environment, in operational states and in accident conditions.
Stationary equipment shall be provided for monitoring the effluents prior to or
during discharge to the environment.
Instruments shall be provided for measuring radioactive surface contamination.
Facilities shall be provided for monitoring of individual doses to and contamination of personnel.
47
6.106. In addition to the monitoring within the plant, arrangements shall also be
made to determine radiological impacts, if any, in the vicinity of the plant, with particular reference to:
(1)
(2)
(3)
(4)
48
Appendix I
POSTULATED INITIATING EVENTS
I.1. This appendix elaborates on the definition and application of the concept of the
postulated initiating event (PIE).
I.2. A PIE is defined as an event identified in design as leading to anticipated
operational occurrences or accident conditions. This means that a PIE is not an accident
itself; it is the event that initiates a sequence and that leads to an operational occurrence,
a design basis accident or a severe accident depending on the additional failures that
occur. Typical examples are: equipment failures (including pipe breaks), human
errors, human induced events and natural events.
I.3. A PIE may be of a type that has minor consequences, such as the failure of a
redundant component, or it may have serious consequences, such as the failure of a
major pipe in the reactor coolant system. It is a main objective of the design to achieve
plant characteristics that ensure that the majority of the PIEs have minor or even
insignificant consequences; and that if the remainder lead to design basis accidents,
the consequences are acceptable; or if they lead to severe accidents, the consequences
are limited by design features and accident management.
I.4. A full range of events needs to be postulated in order to ensure that all credible
events with potential for serious consequences and significant probability have been
anticipated and can be withstood by the design of the plant. There are no firm criteria
to govern the selection of PIEs; rather the process is a combination of iteration
between the design and analysis, engineering judgement and experience from previous
plant design and operation. Exclusion of a specific event sequence needs to be justified.
I.5. The number of PIEs to be used in the development of the performance requirements for the items important to safety and in the overall safety assessment of the
plant should be limited to make the task practical, and this is done by restricting the
detailed analysis to a number of representative event sequences4. The representative
event sequences identify bounding cases and provide the basis for numerical design
limits for structures, systems and components important to safety.
The phrase event sequence or sequence of events is used to refer to the combination
of a PIE and subsequent operator actions or actions for items important to safety.
49
I.6. Some PIEs may be specified deterministically, on the basis of a variety of factors
such as experience of previous plants, particular requirements of national licensing
bodies or perhaps the magnitude of potential consequences. Other PIEs may be specified
by means of systematic methods such as a probabilistic analysis because particular
features of the design, the location of the plant or operational experience enable their
characteristics to be quantified in probabilistic terms.
TYPES OF PIE
Internal events
Equipment failures
I.7. Initiating events can be individual equipment failures that could directly or
indirectly affect the safety of the plant. The list of these events adequately represents
all credible failures of plant systems and components.
I.8. The types of failure that need to be considered depend on the kind of system or
component involved. A failure in the broadest sense is either the loss of ability of the
system or component to perform its function or the performance of an undesirable
function. For example, a pipe failure could be a leak, a rupture or the blockage of a
flow path. For an active component such as a valve, the failure could take the form of
not opening or closing when necessary, opening or closing when not necessary, partial
opening or closing, or opening or closing at the wrong speed. For a device such as an
instrument transducer, the failure could take the form of error outside the permitted
error band, absence of output, constant maximum output, erratic output or a combination thereof.
I.9. With the increasing use of computer based systems in safety applications and
safety critical applications, a hardware failure or an incorrect software programme
may lead to significant control actions; this possibility should be considered.
Human error
I.10. In many cases the consequences of human errors will be similar to the
consequences of failures of components. Human errors may range from faulty or
incomplete maintenance operations, to incorrect setting of control equipment limits
or wrong or omitted operator actions (errors of commission and errors of omission).
50
51
for the corrective action is short. In such instances, combinations of such events need
not be considered.
I.17. For the near term period (usually having a duration of hours), the expected
probabilities of occurrence of the individual events may be such that a randomly
occurring combination would be considered not a credible scenario.
I.18. For the post-event recovery period (of days or longer), additional events may
need to be taken into account, depending upon the length of the recovery period and
the expected probabilities of the events. For the recovery period, it may be realistic to
assume that the severity of an event that has to be taken in a combination is not as
great as would need to be assumed for the same kind of event considered over a time
period corresponding to the lifetime of the plant. For example, in the recovery period
for a loss of coolant accident, if a random combination with an earthquake needs to
be considered, the severity could be taken as less than the severity of the design basis
earthquake for the plant.
52
Appendix II
REDUNDANCY, DIVERSITY AND INDEPENDENCE
II.1. This appendix presents several design measures that may be used, if necessary
in combination, to achieve and maintain the necessary reliability commensurate with
the importance of the safety functions to be fulfilled within the relevant levels of
defence in depth.
II.2. Although no universal quantitative targets can be expressed for the individual reliability requirements for each level of defence in depth, the greatest emphasis should be
placed on the first level. This is also consistent with the objective of the operating organization that there should be high availability of the plant for power production.
II.3. As a guideline or for use as acceptance criteria agreed upon with the regulatory
body, maximum unavailability limits for certain safety systems may be established to
ensure the necessary reliability for the performance of safety functions.
REDUNDANCY
II.7. Redundancy, the use of more than the minimum number of sets of equipment
to fulfil a given safety function, is an important design principle for achieving high
53
reliability in systems important to safety, and for meeting the single failure criterion for
safety systems. Redundancy enables failure or unavailability of at least one set of equipment to be tolerated without loss of the function. For example, three or four pumps
might be provided for a particular function when any two would be capable of carrying
it out. For the purposes of redundancy, identical or diverse components may be used.
DIVERSITY
II.8. The reliability of some systems can be enhanced by using the principle of
diversity to reduce the potential for certain common cause failures.
II.9. Diversity is applied to redundant systems or components that perform the same
safety function by incorporating different attributes into the systems or components.
Such attributes could be different principles of operation, different physical variables,
different conditions of operation, or production by different manufacturers, for example.
II.10. Care should be exercised to ensure that any diversity used actually achieves the
desired increase in reliability in the as-built design. For example, to reduce the potential
for common cause failures the designer should examine the application of diversity
for any similarity in materials, components and manufacturing processes, or subtle
similarities in operating principles or common support features. If diverse components or systems are used, there should be a reasonable assurance that such additions
are of overall benefit, taking into account the disadvantages such as the extra complication in operational, maintenance and test procedures or the consequent use of
equipment of lower reliability.
INDEPENDENCE
II.11. The reliability of systems can be improved by maintaining the following features
for independence in design:
independence among redundant system components;
independence between system components and the effects of PIEs such that, for
example, a PIE does not cause the failure or loss of a safety system or safety
function that is necessary to mitigate the consequences of that event;
appropriate independence between or among systems or components of different
safety classes; and
independence between items important to safety and those not important to
safety.
54
Functional isolation
System layout and design should use physical separation as far as practicable to
increase assurance that independence will be achieved, particularly in relation to
certain common cause failures.
Physical separation includes:
separation by geometry (such as distance or orientation);
separation by barriers; or
separation by a combination of these.
The choice of means of separation will depend on the PIEs considered in the design
basis, such as effects of fire, chemical explosion, aircraft crash, missile impact, flooding,
extreme temperature or humidity, as applicable.
II.13. Certain areas of the plant tend to be natural centres of convergence for equipment
or wiring of various levels (categories) of importance to safety. Examples of such
centres may be containment penetrations, motor control centres, cable spreading
rooms, equipment rooms, the control rooms and the plant process computers.
Appropriate measures to avoid common cause failures should be taken, as far as
practicable, in such locations.
55
REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
57
Annex
SAFETY FUNCTIONS FOR BOILING WATER REACTORS,
PRESSURIZED WATER REACTORS AND PRESSURE TUBE REACTORS
A1. This annex gives an example of a detailed subdivision of the three fundamental
safety functions defined in para. 4.6.
A2. These safety functions include those necessary to prevent accident conditions
as well as those necessary to mitigate the consequences of accident conditions. They
can be fulfilled, as appropriate, using structures, systems or components provided for
normal operation, those provided to prevent anticipated operational occurrences from
leading to accident conditions or those provided to mitigate the consequences of
accident conditions.
A3. A review of various reactor designs shows that current design safety requirements
can be met by having structures, systems or components that perform the following
safety functions:
(1)
(2)
(3)
(4)
(5)
(6)
(7)
(8)
This safety function applies to the first step of the heat removal system(s). The
remaining step(s) are encompassed in safety function (8).
2 This is a support function for other safety systems when they must perform their safety
functions.
59
(9)
(10)
(11)
(12)
(13)
(14)
(15)
(16)
(17)
(18)
(19)
A4. This list of safety functions may be used as a basis for determining whether a
structure, system or component performs or contributes to one or more safety functions
and to provide a basis for assigning an appropriate gradation of importance to the
safety structures, systems and components that contribute to the various safety
functions.
60
GLOSSARY
Protection system
Safety actuation
system
Safety system
support features
61
plant states:
operational states
accident conditions
beyond design basis
accidents
normal
operation
anticipated
operational
occurrences
(a)
design
basis
accidents
(b)
severe
accidents
accident management
(a) Accident conditions which are not explicitly considered design basis
accidents but which are encompassed by them.
(b) Beyond design basis accidents without significant core degradation.
accident conditions. Deviations from normal operation more severe than
anticipated operational occurrences, including design basis accidents and
severe accidents.
accident management. The taking of a set of actions during the evolution of a
beyond design basis accident:
to prevent the escalation of the event into a severe accident;
to mitigate the consequences of a severe accident; and
to achieve a long term safe stable state.
anticipated operational occurrence. An operational process deviating from
normal operation which is expected to occur at least once during the operating lifetime of a facility but which, in view of appropriate design provisions,
does not cause any significant damage to items important to safety or lead to
accident conditions.
design basis accident. Accident conditions against which a nuclear power plant
is designed according to established design criteria, and for which the
damage to the fuel and the release of radioactive material are kept within
authorized limits.
normal operation. Operation within specified operational limits and conditions.
operational states. States defined under normal operation and anticipated
operational occurrences.
62
severe accidents. Accident conditions more severe than a design basis accident
and involving significant core degradation.
postulated initiating event4. An event identified during design as capable of leading
to anticipated operational occurrences or accident conditions.
protection system. System which monitors the operation of a reactor and which, on
sensing an abnormal condition, automatically initiates actions to prevent an
unsafe or potentially unsafe condition.
safety function. A specific purpose that must be accomplished for safety.
safety group. The assembly of equipment designated to perform all actions required
for a particular postulated initiating event to ensure that the limits specified in the
design basis for anticipated operational occurrences and design basis accidents
are not exceeded.
safety system. A system important to safety, provided to ensure the safe shutdown of
the reactor or the residual heat removal from the core, or to limit the consequences of anticipated operational occurrences and design basis accidents.
safety system settings. The levels at which protective devices are automatically actuated in the event of anticipated operational occurrences or accident conditions, to
prevent safety limits being exceeded.
single failure. A failure which results in the loss of capability of a component to
perform its intended safety function(s), and any consequential failure(s) which
result from it.
ultimate heat sink. A medium to which the residual heat can always be transferred,
even if all other means of removing the heat have been lost or are insufficient.
63
Allen, P.
Cowley, J.S.
De Munk, P.
Feron, F.
Foskolos, K.
Frisch, W.
Gasparini, M.
Hardin, W.
Kavun, O.
Omoto, A.
Park, D.
Price, E.G.
Simon, M.
Tripputi, I.
Vidard, M.
65
ADVISORY BODIES
FOR THE ENDORSEMENT OF SAFETY STANDARDS
67